[BreachExchange] How to protect your workplace from cyber-crime

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 2 19:06:26 EST 2018


In November, ride-hailing company Uber revealed that a data breach had
compromised the personal information of 57 million customers around the
globe. It is estimated that 2.7 million users of the popular app in the UK
may have been affected.

This story is one of a growing number of high-profile cyber-attacks on
businesses and public organisations. Earlier in the year, a group of
hackers attacked the NHS with ransomware, a type of malicious software
designed to block access to a computer system until a sum of money is paid.
Ominously named ‘WannaCry’, the ransomware targeted thousands of computers
in hospitals and GP surgeries across the country using technology that
appeared to have been stolen from the National Security Agency in the US.
In this case, a message popped up on computers screens that demanded up to
$600 in exchange for access to PCs. As many as 19,500 medical appointments
were cancelled and five hospitals had to divert ambulances to different
locations, while people were advised to seek medical care only in

The threat

With the proliferation of new technologies, new threats to cyber-security
are emerging. More people have access to sensitive data and more devices
are connected to the internet than ever before. In fact, American research
firm Gartner has estimated that 8.4 billion “things” will be connected by
the end of this year, with one billion of those devices to be deployed in
commercial buildings.

This soon-to-be megatrend, known commonly as the “Internet of Things”
(IoT), has hugely positive implications for business owners and building
managers. IoT is leading an evolution in smart buildings by giving
organisations the power to automate facilities management processes
including lighting, heating, ventilation and air conditioning, as well as
lifts, escalators and security. The connected technology is not only giving
organisations unprecedented control of their surroundings, such as the
ability to adjust preferences for lighting and heating via mobile apps, but
also access to mammoth amounts of building data that can help them make far
better informed decisions about their working environments in areas like
energy usage and health & safety compliance.

But this new power comes at a price. Cyber criminals now have more
opportunities to steal sensitive information and breach critical
infrastructure, while richer data sets are prized targets for would-be

Despite the risks, however, organisations are not doing enough to protect
their buildings and processes. The Cyber Security Breaches Survey 2017
found that almost half of all UK businesses experienced at least one
cyber-security attack in the past year, but a staggering two-thirds of
businesses do not have basic protection. Before the WannaCry breach, 88
health trusts in England failed an on-site cyber-security assessment by NHS
Digital. Yet Sir Amayas Morse, the head of the National Audit Office, said
the breach represented a “relatively unsophisticated attack and could have
been prevented by the NHS following basic IT security best practice”.

The defence

Businesses can take a series of steps to ensure they do not meet the same
fate as the NHS. First and foremost, organisations should produce a best
practice cyber-security strategy in consultation with every stakeholder
involved in the manufacturing, development and deployment of IoT devices
and infrastructure.

A formal risk assessment should be commissioned to identify the appropriate
security baseline along with the adoption of an information security
standard such as ISO 27001. Once this is in place it is crucial that
organisations find weaknesses in their cyber-security before attackers do.
Carry out both internal and external penetration tests on the network by
using “friendly hackers” – these are outside specialists that can attempt
to breach your network and identify security holes.

Four years ago, Google’s Wharf 7 office in Sydney, Australia, was hacked
via by two security expert researchers who were able to access the building
control panel that showed the layout of water pipes on one of the floors. A
malicious breach on this occasion could have led to a ransomware attack and
significant damage to the building.

It is also crucial that organisations train employees to take better care
of their own data and security measures. One area of considerable
vulnerability is access by end users to any part of the network. Research
has found that 23% of employees use the same password for different
applications, and 16% work while connected to public Wi-Fi networks.
Employee security training can help to educate employees of the risks and
improve their working habits.

We live in an increasingly connected world – this is undeniable – but
cyber-crime is one consequence of this brave new world. So it is down to
organisations to ensure that they’re not only ahead of the curve when it
comes to workplace technologies but also one step ahead of the cyber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180102/9e69379f/attachment.html>

More information about the BreachExchange mailing list